Thanks to @nullcookies for providing leads.

Most online scams depend on two things for success: a broken or otherwise onerous process to deal with a legitimate entity, and a desperate target population. With immigration, there are many, many burdensome processes to navigate, and most applicants involved are at least somewhat desperate due to costs and lengthy time expenditures. The result is an environment ripe for green card scams.

Looks real, but came from a scam site

Officialgreencardlottery.org (which is, in fact, none of these things) is a great example of how borrowing the symbolism and language of legitimate authorities, combined with limited authentic communications from those authorities, can create an environment ripe for scamming.

The site is professionally designed, down to a fake logo that approximates the US State Department logo as closely as legally possible. There are multiple urgent calls to action, with red “Apply Today” buttons on most pages, and dire warnings of what can happen to you if your application is entered too late. But scrolling down to the bottom, we see the following:

Which reads:

USA Green Card Office is not affiliated with the U.S. Government or any government agency. You can enter the U.S. Diversity Visa Lottery for Free at www.state.gov in between their open registration dates which typically start in early October 2018. We are not a law firm, we do not provide legal advice, and are not a substitute for an attorney. This site provides a review and submission service that requires a fee.

So not only are they not affiliated with the US government, they’re not attorneys, and therefore probably know nothing about immigration law and cannot provide meaningful help with any green card issues.

Passive DNS on the site doesn’t reveal much, except additional sites usa-dvprogram[.]info, and us-dvprogram[.]info. Stepping backwards to the last IP resolution shows the following:

official-dvlottery.us, official-usagcl.org, officialusagcl.org, usagc-eligibility.online, usagclmessage1.online

After finding little of interest in the scam infrastructure, we decided to register as a prospective immigrant and see what services were on offer.

After paying $129 for the privilege of surrendering some personal information, we promptly got a “verification call” from a man with a South Asian accent. We asked repeatedly about the process, when our application would be forwarded to the relevant officials, and how to move forward. The operator responded with a hard sell to “upgrade” our application for multiple chances to win. (This is not how the real lottery works.)

At no time were we provided any information on the real process, nor did the operator disclose at all what his company would do for us. Based on our experience with the call, the provider does not offer any services whatsoever, but will gladly take both money and significant amounts of personal data. As a scam overall, we rate it as a B-.

A question that sometimes arises with these sorts of scams amongst defenders is often, “Who could possibly fall for that?” The answer is typically, “probably you.”  Let’s look at why.

Below is the real green card lottery site at https://www.dvlottery.state.gov:

Unlike the scam site, the real one provides essentially no information on what the lottery is or how to apply. Signifiers of authenticity are limited to a small logo on the top left. There is no guidance on how to get further information.

By contrast, the scam site provides the basics on what the lottery is, some brief application statistics, and has large, prominent branding all over the site. If you, a prospective applicant, were to be presented with both sites, which one would feel more authentic? Which one would you choose if you had limited financial resources and could only apply once?  Which would feel more accommodating if you had limited English skills?

What’s happening with this scam site and the U.S. Department of State site above is quite similar to what we see with legitimate tech support and tech support scammers. An official entity does a poor job communicating with its constituency, and that creates a vacuum that scammers are all too eager to fill. So while there are concrete steps that an end user can take to stay safe from this sort of thing (see here), large companies and government agencies shoulder a share of the blame as well.

Rather than dismissing the individual for falling for the scam, a more viable solution for security personnel is to collaborate across the company to make sure your corporate communications don’t leave room for scammers to exploit. Does your marketing newsletter look like a scam? Do your support staffers authenticate themselves upon request? Can they verify third parties that work with you? These are all solvable problems that can prevent at least a portion of users from being victimized.